btca-bknd-repo-learn
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill instructs users to install global packages
btcaandopencode-aifrom unverified third-party sources usingbun add -g. This introduces supply chain risks. - [REMOTE_CODE_EXECUTION] (MEDIUM): The instructions suggest downloading an instruction file from
https://btca.dev/ruledirectly into.cursor/rules/. While formatted as markdown, these.mdcfiles define behavior for AI agents, allowing remote actors to influence or override agent logic. - [DATA_EXFILTRATION] (LOW): The tool supports a
btca servecommand which exposes indexed repository data over an HTTP server on port 3000. If misconfigured or exposed to the network, this could lead to unauthorized access to local source code. - [PROMPT_INJECTION] (LOW): The skill is designed to ingest and query untrusted content from external Git repositories (Category 8). This creates a surface for indirect prompt injection where malicious instructions embedded in a repository could manipulate the agent's output.
- Ingestion points: Git repositories cloned to
~/.local/share/btca/resources/(e.g.,https://github.com/bknd-io/bknd). - Boundary markers: None specified in the instructions; protection depends on the internal implementation of the
btcatool. - Capability inventory: Terminal command execution, network access for repository cloning, and local server hosting.
- Sanitization: Not explicitly mentioned; the skill relies on the underlying LLM's safety filters and the
btcatool's handling of content. - [COMMAND_EXECUTION] (LOW): The skill provides numerous CLI commands for repository indexing and querying that are intended for manual execution by the user.
Audit Metadata